Orvibo
Student’s Name
University’s Name
Date
History of Orvibo
Orvibo is a Chinese information technology company focused on the ‘Internet of Things’ (IoT). Since ORVIBO designed the world’s first GSM smart socket in 2011, ORVIBO is dedicated to researching and developing a smart home system for four years. In 2014, ORVIBO launched affordable home automation gadgets and stirred a massive wave on the market. Their product range is quite vast, including micro intelligent products for individuals and villas. Since it is an ICT company, Orvibo has teams of software and hardware engineers working on each of their products. Using microchips from manufacturers like MARVELL, TI and ST, they develop state of the art solutions for home-based appliances including household appliances, lighting, security and smart furniture – creating a pleasant and convenient lifestyle (Fawkes,2020). ORVIBO adheres to the business philosophy of ‘Integrity, Reliability, simplicity and Innovation’.
The Attack
In 2019, a data leak reported by Forbes and a few other sources claimed comprise of over 2 billion user logs of Orvibo. It was found out that a database belonging to Orvibo was left open without any password protection, thus offering a treat for self-styled “hacktivist” security researchers; Noam Rotem and Ran Locar. The offending breach was discovered by VPN Mentor, a cybersecurity research group that runs a project designed to map vulnerabilities on the web. The list of data included in the breach was extensive and included email addresses, passwords, precise geolocation, IP address, user names / IDs, smart device and scheduling information.
Since Orvibo claimed to have over a million users connected to their systems which might be living in small apartments or at homes carrying portable smart devices, the disclosed data was massive. The attack constituted an enormous breach of privacy as well as security not mentioning the further implications after the breach. There were two possible privacy risks with consideration to the personal data available considering the amount of data in this database. First, due to the amount of data being huge, there were high chances of re-identifying individuals even if the data stored in the database was not personal information linked to the individual. Second, personal data contained in the database that is not harmless can be inferred to critical data that would be very harmful to the individual.
Diamond Model
Being one of the most famous attacks in this era, This is addressed in the perspective of the famous threat analysis model, the diamond model. The model contains all four of the main components: the victim, capabilities, infrastructure and adversary. The axiom of this model states that “For every intrusion event, there exists an adversary taking a step toward an intended goal by using a capability over infrastructure against a victim to produce a result[i].”Each attack can be defined by taking a look at how the attacker has utilized the benefits of infrastructure and his capabilities to gain unauthorized access.
The Victim
A victim is the target of the adversary and against whom vulnerabilities and exposures are exploited and capabilities used (Stephen,2001). After going through the reports of the attack, we can conclude that the victim, in this case, had been very irresponsive. Leaving a database unprotected was never going to do any good as the world witnessed. This time around, even the protected databases cannot be considered safe enough, an unprotected one does not stand a chance.
To get to the adversary, we have to start with knowing who the victims are. According to the research at hand, the victim is a conglomerate, based on Internet of Things. They specialize in making smart home appliances as we studied earlier, and their customers are ordinary folks examples are families and individuals. Finally, the victim had been very irresponsive towards the security of their architecture. At this point, with the information we have secured, we cannot point to any adversary hence move forward to the capabilities and infrastructure.
Capabilities
The capability feature describes the tools and techniques used by the adversary in an event. The flexibility of the model allows the capability to be described in sufficient fidelity. The database was exposed previously hence, hardly required most capabilities of the adversary to hit it. The remote server’s address could be found in the code of the devices connecting to it. Once the address and database, were found unprotected, it was not much of a problem for the attacker to reach the data.
Taking a look at the detailed reports, we can find screenshots of the logs which the server was maintaining. They had information like username, emails and passwords of the users. In some logs, the researchers found information like reset links the users of the device used, when the information logged and the transferred data.
Although the company had put some effort into concealing the passwords by hashing them using MD5, it did not help much in the given scenario where the reset links were exposed. The Orvibo incident went one step further when it comes to diluting the security value of MD5 hashing The passwords and reset codes were hashed but not salted, adding unique value, or salt to the end of every password. This incident was before hashing produced a different hash value which acts as an additional security layer against a brute force attack.
Anybody could just go for resetting the password for a particular account, which would result in the actual user getting logged out of his account and restricted them from logging in. So, from the capabilities, we know that the attack did not require much.
Infrastructure
The infrastructure feature describes the physical and logical communication structures the adversary uses to deliver a capability, maintain control of capabilities and effective results from the victim (e.g. exfiltrate data). In our instance, we are aware that the attacker only used an active internet connection and a couple of penetration tools which could have been literally in anyone’s laptop. Vpn Mentor’s software was able to navigate successfully to the Elasticsearch database and browse all of its information without needing any kind of authentication using a simple scan tool. Even a novice could have gained access in the given circumstances. Until now, all circumstances were in favour of the attacker, which they happen to have utilized very well.
The Adversary
There always exist a set of adversaries that seek to compromise computer systems or networks to further their intent and satisfy their needs (Steven,2002). The attacker was either someone from a competitive organization in the field or someone who just wanted to sell the data, considering prior pieces of evidence and reports provided. The competitors had the advantage of fading the fame of the company by letting their users know that their data is not safe. There could have been an insider who might have helped the attacker(s) figure that there exists an unprotected server exposing user’s data with a significant vulnerability. Situations like these are highly beneficial for competitor organizations, especially when the data breach is as massive as this.
On the other hand, a party could have found out the vulnerability in the server machine and had intended to use it for some bucks. Real-world user data is highly expensive in the dark web and hackers to gain unauthorized access to sell consumer data all the time. Sometimes, they get paid handsomely to do so for other parties as well. So as far as the facts are concerned, our second-best shot is the typical hacker community who wants to sell unauthorized data.
The diamond model is built in such a way that it describes how an adversary uses a capability of choice over a given infrastructure against a chosen victim (Caltagirone,2013). The model has vertices and edges, where the vertices are events and are linked to the edges. An analysis using this model, bases their searches on the vertices and edges, allowing them to get more discoveries and detections as well as more information on the components. The application of the model here makes it possible to get more information on the attack and the necessary possible actions.
Policy Assessment
Policy Loopholes
Analysis of this breach lets us know that most of the loopholes and blunders were at the victim’s side and were inter-organizational. Policies at the national level were in action. As we know, GDPR is the global data protection policy enforced and implemented to avoid such hazardous situations. It enforces organizations to protect their consumers’ data like they were to protect their own and if failed to do so, the organization faces serious charges (Grushka,2018). In the discussed attack, GDPR was ignored entirely, which was a severe mistake at an organizational level and should’ve been dealt with legally. In mitigating this, the organization needed to have a GDPR-compliant privacy notice.
Another fault at organization level was the absence of any policy-making mechanism for an organization’s internal blunders. This issue required the presence of a privacy policy for the internal control of the organization (Siegel,2016). This database could have been left open either on purpose, which is less likely the actual situation. No organization aware of the severity of such a mistake can do it willingly. This fault could also be done on purpose by an employee of the organization to benefit the adversary. In both scenarios, the organization needed to have a policy in place to deal with the discussed circumstances.
Another thing found missing at organizational level was, checks and balances. Big organizations should own a designated department working on checks and balances of both systems. This fault was an apparent lack of responsibility at the management level. Any organization’s security is not something to be taken lightly. For an IT company, information security is the key to gaining the trust of the market and everyday consumers. Why would a consumer invest in an organization which is not willing to keep its data safe?
According to researches, it is a common practice for IT companies not to put efforts towards the data protection of their consumers which is a point to ponder for all. If the IT companies themselves are not protected, how are they supposed to provide secure and safe smart services to their customers? It is an unfortunate mishap for Orvibo and a question mark for much other software and hardware solution-based companies.
GDPR is a law in the EU that deals with data protection and privacy in the European Union and amongst the businesses in the European Union. Orvibo, which also sells its products to European Union countries, is bound by the GDPR. The organization should consider protection and security at the initial process of building their organization (Stephen,2001). All organizations should have policies and regulations such as privacy policies and policy notices in place in addition to security measure such as intrusion detection as well as access log maintenance.
Conclusion
Data breaches are common for companies who are somehow collecting a large amount of consumer data because consumer data happens to be worth a good fortune on the dark web. Organizations should always prepare for such breaches and always keep intrusion and prevention systems solutions in place to avoid unfortunate situations. The breach discussed above was handed over to the hackers in a plate, Taking the facts into account. It was a severe blunder at the organizational level which should have been a necessary step towards the security of the organization’s future position in the market and their consumer’s data. Most IT organizations do not seem to be taking these incidents as carefully as they should. Mistakes like these cause organizations like Orvibo a good fortune and that is why the checks and balance system must be in place at every cost. The level of governance should be at the national level since they have proved to have all their responsibilities done.
[1] REFERANCES
- Fawkes, G. (2020). Report: Orvibo Smart Home Devices Leak Billions of User Records. VPN Mentor.
- Gruschka, N., Mavroeidis, V., Vishi, K.,& Jensen, M.. (2018). Privacy Issues and Data Protection in Big Data: A Case Study Analysis under GDPR.
- “Applying Threat Intelligence to the Diamond Model of Intrusion Analysis.” Recorded Future, March 11, 2020. https://www.recordedfuture.com/diamond-model-intrusion-analysis/.
- Stephen Northcutt, Mark Cooper, Matt Fearnow, and Karen Frederick. Intrusion Signatures and Analysis. New Riders Publishing, Indianapolis, IN, USA, 2001.
- Frederick B. Cohen. Protection and Security on the Information Superhighway. John Wiley & Sons, New York, NY, USA, 1995.
- Steven T. Eckmann, Giovanni Vigna, and Richard A. Kemmerer. STATL: An attack language for state-based intrusion detection. Journal of Computer Security, 10(1):71– 163, 2002
- Caltagirone, S., Pendergast, A., & Betz, C. (2013). The Diamond Model of Intrusion Analysis A Summary By Sergio Caltagirone. Retrieved from https://pdfs.semanticscholar.org/dca1/9253781fbc429d85ec09e8f0f7f2ddbe7fdf.pdf?_ga=2.91932505.2145268944.1587036118-2068577278.1585752487
- General Data Protection Regulation (GDPR) (n.d.). Intersoft consulting. Retrieved from https://gdpr-info.eu/
- eu. 2020. Writing A GDPR-Compliant Privacy Notice (Template Included) – GDPR.Eu. [online]
- Available at: <https://gdpr.eu/privacy-notice/> [Accessed 17 April 2020].
- Applying Threat Intelligence to the Diamond Model of Intrusion Analysis. (2020, March 11). Retrieved from https://www.recordedfuture.com/diamond-model-intrusion-analysis/.
- (n.d.).
- Report: Orvibo Smart Home Devices Leak Billions of User Records. (n.d.). Retrieved from https://www.vpnmentor.com/blog/report-orvibo-leak/.
- Robinson, T. (2019, July 2). Exposed Orvibo database leaks two billion records. Retrieved from https://www.scmagazine.com/home/security-news/exposed-orvibo-database-leaks-two- billion-records/.
- Stephen Northcutt, Mark Cooper, Matt Fearnow, and Karen Frederick. Intrusion Signatures and New Riders Publishing, Indianapolis, IN, USA, 2001.
- Frederic Cuppens and Rodolphe Ortalo. LAMBDA: A language to model a database for detection of attacks. In Proceedings of the Third International Workshop, RAID 2000, pages 197–216, Berlin, Heidelberg, 2000. Springer-Verlag.
- Wolfgang John and Tomas Olovsson. Detection of malicious traffic on back-bone links via packet header analysis. Campus-Wide Information Systems, (25):342–358, 2008.
- Chris Sanders. The 10 commandments of intrusion analysis. [ONLINE] http: //chrissanders.org/2011/01/the-10-commandments-of-intrusion-analysis/, January 2011.
- [1] Siegel, B., 2016. Privacy Policy Or Privacy Notice: What’s The Difference?. [online] CSO Online. Available at: <https://www.csoonline.com/article/3063601/privacy-policies-and-privacy-notices-whats-the-difference.html> [Accessed 17 April 2020].